Issue #3458403 by mstrelan: Conditionally disable access to update manager routes

(cherry picked from commit 7f878e8e)

Issue #3458403 by mstrelan: Conditionally disable access to update manager routes
764b6cb7 · catch · 7f752fe0 · 764b6cb7 · 764b6cb7 · 764b6cb7
Commit 764b6cb7 authored Jul 8, 2024 by catch
--- a/core/modules/update/src/Routing/UpdateRouteSubscriber.php
+++ b/core/modules/update/src/Routing/UpdateRouteSubscriber.php
+<?php
+declare(strict_types=1);
+namespace Drupal\update\Routing;
+use Drupal\Core\Routing\RouteSubscriberBase;
+use Drupal\Core\Site\Settings;
+use Symfony\Component\Routing\RouteCollection;
+/**
+ * Route subscriber for Update module routes.
+ */
+class UpdateRouteSubscriber extends RouteSubscriberBase {
+  /**
+   * Constructs a new UpdateRouteSubscriber.
+   */
+  public function __construct(
+    protected Settings $settings,
+  ) {
+  }
+  /**
+   * {@inheritdoc}
+   */
+  protected function alterRoutes(RouteCollection $collection) {
+    if ($this->settings->get('allow_authorize_operations', TRUE)) {
+      return;
+    }
+    $routes = [
+      'update.report_install',
+      'update.report_update',
+      'update.module_install',
+      'update.module_update',
+      'update.theme_install',
+      'update.theme_update',
+      'update.confirmation_page',
+    ];
+    foreach ($routes as $route) {
+      $route = $collection->get($route);
+      $route->setRequirement('_access', 'FALSE');
+    }
+  }
+}
--- a/core/modules/update/update.routing.yml
+++ b/core/modules/update/update.routing.yml
@@ -30,7 +30,6 @@ update.report_install:
    _title: 'Add new module or theme'
  requirements:
    _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 update.report_update:
  path: '/admin/reports/updates/update'
@@ -39,7 +38,6 @@ update.report_update:
    _title: 'Update'
  requirements:
    _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 update.module_install:
  path: '/admin/modules/install'
@@ -48,7 +46,6 @@ update.module_install:
    _title: 'Add new module'
  requirements:
    _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 update.module_update:
  path: '/admin/modules/update'
@@ -57,7 +54,6 @@ update.module_update:
    _title: 'Update'
  requirements:
    _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 update.theme_install:
  path: '/admin/theme/install'
@@ -66,7 +62,6 @@ update.theme_install:
    _title: 'Add new theme'
  requirements:
    _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 update.theme_update:
  path: '/admin/appearance/update'
@@ -75,7 +70,6 @@ update.theme_update:
    _title: 'Update'
  requirements:
    _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
 # @todo Deprecate this route once
 #   https://www.drupal.org/project/drupal/issues/3159210 is fixed, or remove
@@ -97,4 +91,3 @@ update.confirmation_page:
    _title: 'Ready to update'
  requirements:
    _permission: 'administer software updates'
-    _access_update_manager: 'TRUE'
--- a/core/modules/update/update.services.yml
+++ b/core/modules/update/update.services.yml
@@ -24,3 +24,6 @@ services:
  logger.channel.update:
    parent: logger.channel_base
    arguments: [ 'update' ]
+  update.route_subscriber:
+    class: Drupal\update\Routing\UpdateRouteSubscriber
+    arguments: ['@settings']